A fully homomorphic encryption scheme may be considered as one that allows the computation of arbitrary functions over encrypted data without requiring the use of a decryption key.
There has existed an open problem of constructing a fully homomorphic encryption scheme. This notion, originally called a privacy homomorphism, was introduced by Rivest, Adleman and Dertouzous (R. Rivest, L. Adleman, and M. Dertouzous. On data banks and privacy homomorphisms. In Foundations of Secure Computation, pages 169-180, 1978) shortly after the development of RSA by Rivest, Shamir, and Adleman (R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. In Comm. of the ACM, 21:2, pages 120-126, 1978). Basic RSA is a multiplicatively homomorphic encryption scheme, i.e., given RSA public key pk=(N,e) and ciphertexts {ψi←πie mod N}, one can efficiently compute Πiψi=(Πiπi)e mod N, a ciphertext that encrypts the product of the original plaintexts. One may assume that it was RSA's multiplicative homomorphism, an accidental but useful property, that led Rivest et al. to ask a natural question: What can one do with an encryption scheme that is fully homomorphic: a scheme ε with an efficient algorithm Evaluateε that, for any valid public key pk, any circuit C (not just a circuit consisting of multiplication gates as in RSA), and any ciphertexts ψi←Encryptε(pk,πi), outputsψ←Evaluateε(pk,C,ψ1, . . . ,ψt),
a valid encryption of C(π1, . . . , πt) under pk? Their answer: one can arbitrarily compute on encrypted data, i.e., one can process encrypted data (query it, write into it, do anything to it that can be efficiently expressed as a circuit) without the decryption key. As an application, they suggested private data banks. A user can store its data on an untrusted server in encrypted form. Later, the user can send a query on the data to the server, whereupon the server can express this query as a circuit to be applied to the data, and use the Evaluateε algorithm to construct an encrypted response to the user's query, which the user then decrypts. One would obviously want the server's response here to be more concise than the trivial solution, in which the server just sends all of the encrypted data back to the user to process on its own.
It is known that one can construct additively homomorphic encryption schemes from lattices or linear codes. The lattice-based scheme and the Reed-Solomon-code-based scheme allow multiplications, though with exponential expansion in ciphertext size. Ciphertexts implicitly contain an “error” that grows as ciphertexts are added together. Thus, ciphertexts output by Evaluate do not have the same distribution as ciphertexts output by Encrypt, and at some point the error may become large enough to cause incorrect decryption. For this reason, the homomorphism is sometimes referred to as a “pseudohomomorphism” or a “bounded homomorphism”
There are schemes that use a singly homomorphic encryption scheme to construct a scheme that can perform more complicated homomorphic operations (T. Sander, A. Young, and M. Yung. Non-interactive cryptocomputing for NC1. In Proc. of FOCS '99, pages 554-567, 1999, and Y. Ishai and A. Paskin. Evaluating Branching Programs on Encrypted Data. In Proc. of TCC '07. Sanders, Young and Yung (SYY) show that one can use a circuit-private additively homomorphic encryption scheme to construct a circuit-private scheme that can handle arbitrary circuits, where the ciphertext size increases exponentially with the depth of the circuit. Their scheme may, therefore, feasibly evaluate NC1 circuits. Ishai and Paskin show how to evaluate branching programs, and with much smaller ciphertexts than SYY. In their scheme Evaluate outputs a ciphertext whose length is proportional to the length of the branching program. This remains true even if the size of the branching program is very large, e.g., super-polynomial. However, the computational complexity of their scheme is proportional to the size.
In more detail, Ishai and Paskin use a “leveled” approach to evaluate a branching program. A (deterministic) branching program (BP) P is defined by a DAG from a distinguished initial node in which each nonterminal node has two outgoing edges labeled 0 and 1, and where the terminal nodes also have labels.
Cryptographers have accumulated an assortment of applications for fully homomorphic encryption since then. However, until now, there was no viable construction of a fully homomorphic encryption scheme.